Opened 10 years ago

Last modified 10 years ago

#11 reopened defect

VHost/IP-Mismatch may allow for access to unintended VHosts

Reported by: Daniel Kahn Gillmor Owned by: Daniel Kahn Gillmor
Priority: major Component: code
Version: 5.10 Keywords: test-needed


imported from mantis:

Due to a problem with the way VHost configurations are matched to the connection it is possible that on a configuration with multiple IPs (e.g. IPv4/IPv6 or multiple IPv4) an attacker could issue a request on one IP address of the server which requests a VHost that should only be available on a different (possibly private) IP address.

Additional Information

  1. Create two VHosts on different IPs.
    • VHost A on IP1
    • VHost B on IP2
  1. Open a connection to IP1 requesting a domain only available on IP2 (e.g. B)
Default Fallback VHost of IP1
Some random matching VHost configuration for the domain even if mismatching the IP.

Note that in order to get a configuration of the wrong IP it's enough to have a VHost for Domain A on IP2 as well as IP1 (e.g. the IPv4/IPv6 Dual Stack case). That's also how I noticed this misbehaviour.

Change History (2)

comment:1 Changed 10 years ago by Daniel Kahn Gillmor

Resolution: fixed
Status: newclosed

benbe said:

If my tests where correct (OpenSSL s_client didn't like IPv6 and GnuTLS-cli didn't like being told the exact SNI header to send ...) I couldn't convince mod_gnutls to send VHosts differing from those configured on the webserver for the IP I was connecting to. Due to the various bugs in OpenSSL s_client and gnutls-cli I couldn't verify this holds true for the Host header sent when the TLS session is established though. But given the VHost selection with Wildcard Aliasing being fixed too this issue should not be exploitable anymore.

dash said:

According to BenBE [reporter] this seems not exploitable in /trunk.

comment:2 Changed 10 years ago by Daniel Kahn Gillmor

Keywords: test-needed added
Resolution: fixed
Status: closedreopened

I'd like to see a test written for this, though.

Note: See TracTickets for help on using tickets.